Jason Steer, solutions architect, EMEA, Menlo Security
Jason Steer, solutions architect, EMEA, Menlo Security

Why do robbers break into banks? Because customers trust banks, and keep their gold and diamonds in the vault. Why do hackers attack and subvert media sites and use them as malware delivery systems? For a similar reason: Millions of citizens trust media brands, and spend a lot of time on those high-traffic sites. With high profile “stories” like Brexit, the Rio Olympics, ISIS attacks and forthcoming US elections, online publications will receive unprecedented amounts of traffic. Visitors to some of those media sites will be exposed to malware – sometimes due to successful hacks against those sites, and sometimes due to poor security precautions at media companies' numerous partners.

Let's start with some typical media sites. According to eBizMBA, as of July 2016, the top sites for news for US traffic were Yahoo News, Google News, the Huffington Post, CNN, the New York Times, Fox News, NBC News, Mail Online, the Washington Post and the Guardian. On a global scale, top sites include sources such as Le Monde, China Daily and Nihon Keizai Shinbun (better known as Nikkei). All these sites capture the attention of tens of millions of visitors each month.

Historically we have seen attackers compromise the infrastructure of top media sites because they have enough motive to, the relative ease to do it and the minimal risk of getting caught. Attacks have ranged from high visitor crimeware-related hacking to make lots of money through to state sponsored attacks against highly targeted subsets of visitors to get into specific organisation networks for data and IP.

All of these large media sites contain a risk to all visitors that lies beyond their own website, that lies outside their control that continues to grows in risk through 2014 to now.

• Each of the media sites contains links to external sites. Some of those sites are linked in news stories, which might be sites related to entertainment, celebrities, local businesses, politicians and even non-profit organisations. Other links are in advertisements. Readers trust their news organisations and are likely to click on those links, believing them to be safe. Attacks against those sites would also affect millions of people, thanks to traffic brought in by the media sites.

• In their quest to improve profits, and to incorporate ever-more-sophisticated functionality into their web platforms, media companies have partnered with an amazing array of external organisations, including ad networks, real-time analytics, behavioural trackers and performance optimisers. Are all those external services safe? There is no way for anyone — including the media company — to be entirely certain.

Third parties are a weakness

When you visit a website – including the site where you may be reading this story right now – you have little idea, and almost no control, over which servers are supplying content and active code into your browser. Some of those servers obviously belong to the media site you are visiting, and are delivering HTML code and images for this story. Meanwhile, in the background, dozens of other sites are also supplying code over the internet. That active code is executed inside your browser, on your computer, on your business within your network. The code may be JavaScript or Java or Flash. Any of it could be malicious. Traditional security detection tools fail to detect all known and unknown web threats today.

What can you do?

In many cases, the media sites are just as much victims as consumers. My advice to media sites is two-fold. First, cut back on the external services, including user trackers. Second, stop trying to prevent users from using ad blockers; ads represent one of the biggest security vulnerabilities.

Here are some ways you, your family, and your employees can try to protect yourself against malware delivered by media websites:

• Keep your operating system, your browser, and your security software up to date. Install patches as soon as possible, especially if they are security-related.

• Use Private Browsing Mode when visiting sites you don't trust, to make it harder for malicious software to get a foothold.

• Don't trust any site. Any website can be hacked or become an attack vector. Paranoia is okay.

• Consider installing several browsers on your computer. Use the default browser for visiting media sites, playing games, or just otherwise having fun. Use a secondary browser only for secure activities, such as e-commerce or online banking.

• Use an ad blocker, and avoid websites that try to prevent your using an ad blocker.

• Look at browser add-ins that can block client-side scripting, such as JavaScript, and turn off the ability to run Flash and Java inside your browser.

• Think before you click – and that includes ads.

• Consider using a service that “sandboxes” or isolates your browser by running the browser session on an external server in the cloud.

Contributed by Jason Steer, solutions architect, EMEA, Menlo Security

Editor's comment.  We have run this article which advises readers to use an ad-blocker, though if all readers did so we would have to charge for content or cease publication.